We’ve just published a couple of knowledge base articles about Sitefinity security. This blog post rounds them up and looks at the best practices and benefits of keeping your WCM up to date.
At Progress we take security seriously and are committed to identifying and resolving any potential vulnerabilities. Sitefinity is rigorously tested and certified to the highest industry standards. And while we’re at it, we’d like to encourage you to keep your Sitefinity projects up to date.
Latest Sitefinity Version
With every new release, Sitefinity offers multiple performance benefits and a higher level of security. Cross-functional teams work hard to develop new features, introduce enhancements and resolve vulnerabilities. New releases get the latest versions of third-party libraries and plug-ins too, which means you gain on multiple levels in terms of higher performance and tighter security.
All in all, the latest Sitefinity version is your safest bet. Then again, if you’re running an older version, make sure you have the latest patch. Don’t take any chances. Security is not a gamble—a fact of life none of us would want to learn the hard way.
Sitefinity Security Advisories
The Sitefinity Knowledge Base is a great place to get useful tips and learn from the experience of fellow Sitefinity users. It’s also where Sitefinity Support posts important announcements advising our customers what action they should take to secure against vulnerabilities before they become exploits.
We’re going to look at exactly the kind of security advisories released in the last week or so. Ready to roll?
We start with the most recent Sitefinity Security Advisory, detailing a set of potential vulnerabilities that have been identified and resolved. It lists the available patches per version, which contain fixes for these vulnerabilities. It’s important to note that no action is required whatsoever for Sitefinity 13.0.
It’s the most recent official version and has the latest versions of libraries such as jQuery and AJAX, as well as all the highest-level security configurations. You’re welcome to read the article below and plan applying the latest patch for your version of Sitefinity—if you haven’t done so yet. Security patches are available for versions 7.0 through 12.2.
Security Advisory for Resolving Security vulnerabilities March/April 2020
read article
Next up, Sitefinity Support has added a comprehensive article on the notorious Blue Mockingbird exploit. It’s a malware attack that can potentially compromise web application security. The exploit is targeting old Telerik UI vulnerabilities that have long been resolved.
Although the vulnerabilities were patched all the way back in 2017—and the original security measures have been built upon since—attackers can be targeting organizations who haven’t upgraded to the patched version of the exposed components.
Blue Mockingbird and What It Means for Sitefinity
read article
The following article originally dates back to 2017, when the said exploit was identified and resolved. It just made sense for Sitefinity Support to update it as a reminder to customers who may not have taken action back then. It also covers some more recently resolved vulnerabilities.
Sitefinity 13.0 is secure and requires no action. Versions 10.2 to 12.2 need minimum intervention on your part and the article describes an automated process to update a relevant security setting in your project.
For versions 7.0 through 10.1, applying the latest available patch is highly recommended for those who haven’t yet got it.
Security Advisory Resolving Security Vulnerability CVE-2014-2217, CVE-2017-11317, CVE-2017-11357, CVE-2017-9248 in Sitefinity
read article
Lastly, the evergreen How to Apply the Latest Available Sitefinity Patch article was also updated, being a convenient resource for everyone who wants to keep their CMS protected and up to date.
As in every software system, the upgrade process is a necessity that should not be taken lightly. The importance of keeping your project secure cannot be overstated. Before we wrap it up, here’s a quick rundown of the best practices to observe
if you want the maximum security.
- Upgrade to the latest release or apply the most recent patch per your version
- Subscribe to the Progress Alert Notification Service (PANS)
- Keep an eye on our Knowledge Base and check new articles regularly
- In case you missed it, read the Sitefinity Security whitepaper
- Keep this handy: a valuable resource about upgrading Sitefinity
It also makes sense to review the Sitefinity bug fixing policy and the Sitefinity Lifecycle Policy Guide.
Bottom line, make sure you timely upgrade to the latest official release or, as a minimum, apply the latest patch for your product version. Stay on top of what’s new, plan accordingly and set time aside to apply updates. This should become a routine. It's never the wrong time to do the right thing.
Anton Tenev
A Sitefinity Product Marketer, Anton has a mixed background of software and writing for the web. He has spent the last 10 years in software development, on the project management and product ownership side, all the while writing about technology, gadgets and their use and usability. He is always trying to get to the bottom of things without missing the bigger picture.